Described below is a method and an apparatus for ensuring an interception- and counterfeit-proof communication between devices, and more particularly to a method and an apparatus for protecting a negotiation of at least one cryptographic key. Also described below is a computer program product which initiates the execution of a method for protecting a negotiation of at least one cryptographic key, as well as to a data storage facility on which the computer program product is stored.
In modern-day building technology applications, a plurality of devices and components are installed not only in factory buildings, but also in business and private premises. It is possible in such cases that at least a selection of the installed devices will communicate with one another and in the process exchange data. A possible application scenario involving intercommunicating devices is building automation. In such applications a central control unit is typically provided which addresses a plurality of devices by control commands and thereby regulates for example the air conditioning for the entire building. Given a suitable infrastructure, the devices installed in a building can be configured in a peer-to-peer or client-server network.
Furthermore, vehicles are known which are provided with control units that communicate with appliances installed in a household by a wireless interface. Thus, it is known that a car driver can control the amount of heat generated by a heating appliance or the closing or opening of shutters by his/her in-car display via a mobile radio interface. In the application scenarios described, the plurality of devices communicating with one another are in some cases sourced from different manufacturers, for which reason the communication networks are characterized by a high degree of heterogeneity in terms of the manufacturers of network components and the use of network protocols. What is crucial in the application scenario is that the communication between the individual devices can take place in an interception- and counterfeit-proof manner. Various network technologies and encryption protocols are known for this purpose.
A well-known protocol, in particular in the building automation field, i.e. in an automated system for controlling devices installed in buildings, is the BACnet protocol, where BACnet stands for “Building Automation and Control Network”. This is a network protocol which supports communication between devices in building automation technology and a corresponding risk management system. BACnet Security is based on symmetric cryptography, i.e. the communicating devices must have in common a secret, also referred to as a key, which they share. A key server is provided for distributing keys; using a “basic key” as a basis, the key server distributes further keys securely to the communicating devices. The “basic key”, referred to in the BACnet standard as a “device master key”, is individual and unique, i.e. different for each device. It must be imported into the key server or into the communicating device in a suitable, secure manner and with an absolute minimum of configuration effort in order to enable the secure distribution of further keys between key server and device.
The BACnet specification describes a shipping of the devices with a device master key which is printed on a tear-off label. The label is removed and the device master key is entered manually into the key server. BACnet also supports commands for transporting a device master key from the key server over the device network. However, these possibilities have the disadvantage that they are time-consuming and labor-intensive as well as prone to error, since they are based on manual input or are insecure because a distribution of keys is performed over the insecure network.
Cryptographic methods are employed inter alia for encrypting messages, signing documents and authenticating persons or objects. Techniques referred to as asymmetric encryption methods in particular are suitable for this, since they provide a subscriber both with a private key, which is kept secret, and a public key.
When encrypting a message, the sender obtains the public key of the desired addressee and uses it to encrypt the message. Only the addressee is thereafter able to decrypt the message again using the private key known only to him/her.
When signing a document, a signatory uses his/her private key to compute an electronic signature from a document. Other persons can verify the signature without difficulty with the aid of the signatory's public key. However, only signatures signed with the associated private key can be verified by the public key. By this unique assignment, and based on the assumption that the private key is kept secret by the signatory, a unique assignment of the signature to the signatory and the document is produced.
The asymmetric cryptography methods are based, as explained above, on a private and a public key. In this scheme the public key is generated from the private key by a predetermined algorithm. What is crucial for the cryptographic methods is that it will not be possible using the available computing capacities to effect a reversal, i.e. to determine the private key from the public key, within a reasonable time. The latter is assured provided the key length of the private key attains a minimum length. The minimum length of the key is dependent on the algorithms used for the encryption and on the definition of the public key.
The operations using the public or private keys require a deployment of computing resources. This requirement is dependent on the algorithms used and also on the length of the keys used. It proves advantageous in this case to apply cryptographic methods based on elliptic curves, since these afford a high level of security with short key lengths. In contrast to other methods, no way of determining the private key from the public key is known in the related art for cryptography methods based on elliptic curves, the computing resources required therefor increasing more slowly than with an exponential increase with increasing key length.
Typically, known methods for protecting a key negotiation are complicated and time-consuming, prone to error and insecure. In particular in building technology or building automation, no methods are known which allow cryptographic keys used for encrypting a communication to be negotiated in a secure manner in an insecure network.
The publication WO 2005/010214 A2 discloses a method for negotiating a symmetric key for communication between wireless sensor nodes of a network, wherein the negotiation of the symmetric key between a sensor node and a key center is protected with the aid of asymmetric keys stored in the sensor nodes.